#!/usr/bin/env bash

export CA_PARENT_DIR="/tmp/CA7"
export EXPIRE_DAYS=1

# 创建目录结构
mkdir -p $CA_PARENT_DIR/private $CA_PARENT_DIR/certs $CA_PARENT_DIR/newcerts $CA_PARENT_DIR/crl $CA_PARENT_DIR/index.txt
touch $CA_PARENT_DIR/index.txt
echo 1000 > $CA_PARENT_DIR/serial

# 生成根证书私钥（不加密的 RSA 格式）
openssl genrsa -out $CA_PARENT_DIR/private/root_ca.key 4096

# 生成根证书
openssl req -x509 -new -key $CA_PARENT_DIR/private/root_ca.key -sha256 -days $EXPIRE_DAYS -out $CA_PARENT_DIR/certs/root_ca.crt -subj "/C=CN/ST=ShanDong/L=Qingdao/O=Hisense/OU=OVCloud/CN=*.hijuconn.com"

# 生成服务器私钥（不加密的 RSA 格式）
openssl genrsa -out $CA_PARENT_DIR/private/hijuconn.key 2048

# 生成服务器证书签名请求 (CSR)
openssl req -new -key $CA_PARENT_DIR/private/hijuconn.key -out $CA_PARENT_DIR/private/hijuconn.csr -subj "/C=CN/ST=ShanDong/L=Qingdao/O=Hisense/OU=OVCloud/CN=*.hijuconn.com"

# 使用根证书签发服务器证书
openssl x509 -req -in $CA_PARENT_DIR/private/hijuconn.csr -CA $CA_PARENT_DIR/certs/root_ca.crt -CAkey $CA_PARENT_DIR/private/root_ca.key -CAcreateserial -out $CA_PARENT_DIR/certs/hijuconn.crt -days $EXPIRE_DAYS -sha256

# 检查根证书过期时间
openssl x509 -in ca.crt -noout -dates

# 验证私钥格式（无需解密）
openssl rsa -in $CA_PARENT_DIR/private/hijuconn.key -noout -text